Cyber Security: An Introduction

Transcription

1 Cyber Security: An Introduction Security is always a trade-off between convenience and protection. A good security policy is convenient enough to prevent users from rebelling, but still provides a reasonable amount of protection against common threats. Prepared by Cronkite Security Consulting

2

3 1 Cyber Security: An Introduction Rationale The purposes of this report are the following: Inform clients of Cronkite Security Consulting of the current issues related to computer security Educate clients on steps they can take to make their computers more secure This document specifically pertains to our clients Information Technology, but is applicable to all departments and their computer facilities. This document does not supersede, but rather enhances, clarifies, and complements, the standards for computer use already specified by the each client s Threat Protection Plan Modern Threats Every day and night, a typical Information Technology (IT) Department at a typical midsized corporation is quietly attacked by Internet outsiders who are trying to find weaknesses in the company s network by using port scans, Trojan horses, viruses, and other hacker tools. All of our clients report that their systems have at one time or another been compromised by outsiders. In some cases, the outsiders then used company systems to attack and wreak havoc on other network locations. Some of our clients files have been corrupted or deleted by unscrupulous hackers. Unauthorized personnel have used IT computers to send inflammatory messages. Modern Solution The solution is for all IT staff to become informed of the dangers of the Internet and to take necessary precautions. This is not easy. In fact, a state of perfect security is impossible. Security is not a destination, but a journey a process requiring vigilance from all the members of an organization. Security is a process of constantly adjusting to changing conditions, modifying existing passwords, enhancing existing firewalls, securing the physical locations of computers, training personnel, and updating all security systems. IT personnel have the continual and constant responsibility for protecting their organization s resources. A Secure Plan The policies and procedures described in this document seek to find a happy medium between security on the one hand and convenience, flexibility, and budget limitations on the other. No organization can enjoy both a high level of security and a high level of convenience. Increased security always decreases convenience, and vice versa. For this reason, security procedures demand constant communications between users and managers. Therefore, all personnel are cordially invited to discuss this document

4 A Secure Plan 2 with their organization s IT Director so that the balance between security and convenience is continuously updated. The security procedures involve the following general areas: Structured Security Location Security Password Security and Anti-Virus Security Operating System Security By taking the necessary steps in each of these areas, the risk of security compromises will be lowered to an acceptable level. Structured Security IT security should be under the direction of a Computer Security Committee. Ideally, this committee would consist of six people: The IT Director Three managerial members from different departments in the organization Two non-managerial members, usually members of the support staff The responsibilities of the Computer Security Committee are fourfold: Oversee all security matters in the organization Set and enforce security policies Monitor the balance between security and convenience The person directly in charge of computer security is the IT Director. He or she carries out the policies set by the Computer Security Committee. We recommend that each IT department employ one employee who can spend up to 20 hours per week on security measures. Location Security During hours that an organization s facilities are unlocked, its IT Department personnel should do the following: Keep IT offices locked while not present. Keep outer doors to office complexes locked when appropriate. Keep doors to computer network servers locked at all times. Maintain backups of all important files in separate physical locations. Backups Off Site Figure 1 illustrates these important recommendations. For a larger, poster-sized copy of Figure 1, please Thalia Cruz at Server Doors Locked Figure 1 IT Doors Locked Outer Doors Locked

5 3 Cyber Security: An Introduction She would be happy to send multiple copies for posting throughout your organization s IT department. Passwords Eighty percent of security is proper password management. This means that: Every computer, where possible, has an access password. Each user has a password to access the department network. Large, important, or confidential files should be password protected. For passwords to be most effective, users should use the following guidelines: Passwords should be at least 8 characters long. Passwords should not be words found any dictionary. Passwords should include letters, numbers, and punctuation. Passwords should not be written down anywhere, and therefore should be easily remembered by the user but nonsense to anyone else. For example, w2mmed means walk to mountain meadow to the user, but would be nonsense to others. The password wrks4zip means works for nothing to the user but would be impossible to guess by anyone else. Passwords should never be given to anyone else. Passwords should never include readily accessible personal information such as addresses, telephone numbers, or family or pet names. The goal, then, in creating passwords is to combine letters, symbols, and numbers to make lengthy nonsense. This makes the password nearly impossible for malicious hackers to determine. Users should change their passwords monthly, without ever repeating a previous password. If a computer system is suspected of being compromised, then all passwords on that system should be changed immediately. An IT officer should periodically remind the network users to make sure their passwords follow the above guidelines. & Anti-Virus Protection All users should have anti-virus software loaded on their computers and should be diligent in keeping anti-virus definitions current to protect against the latest viruses. Users of Microsoft Outlook and Outlook Express should make sure that their mail clients have the latest security patches to prevent the automatic running of attachments. users should never open attachments or messages from unknown sources. Network Security Network security begins with the department network firewall. The Information Technology firewall should be configured to deny all traffic to and from computers outside the department unless such traffic meets a clear need and is approved by the department Computer Security Committee. No FTP or Telnet should be allowed through the firewall without specific approval. Even with approval, those using FTP, Telnet, Xwindows, or VPN should use Secure Shell for Unix/Linux/Windows clients.

6 A Secure Plan 4 All Web and servers should reside on the DMZ port of the firewall only. Data packets attempting to pass through the Information Technology network should be allowed only if they come from internal addresses or from approved external addresses. The Computer Security Committee should review specific exceptions to these firewall rules. Department network ports should allow access to HTTP (Web), HTTPS/SSL (Secure Web), SMTP and POP3 ( ), and other necessary services vital to department functions. NAT (Network Address Translation) will be deployed on the private (trusted) side of the Information Technology network to translate all internal (private) TCPIP addresses to one public (untrusted) TCPIP address that can be seen on the public (untrusted) side of the Information Technology network.

Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started

Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

Desktop and Laptop Security Policy Appendix A Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious

Computer Security Maintenance Information and Self-Check Activities Overview Unlike what many people think, computers are not designed to be maintenance free. Just like cars they need routine maintenance.

CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

FIREWALL RULES Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. The logic is based on a set of guidelines programmed in by a firewall administrator,

A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately

Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

Inside-Out Attacks ivan.buetler@csnc.ch Security Event April 28, 2004 Page 1 Goals of this presentation Responses to the following questions What are inside-out attacks Who will use this technique? How

61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like

Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

Inside-Out Attacks ivan.buetler@csnc.ch Covert Channel Attacks Inside-out Attacks Seite 1 Goals of this presentation! Responses to the following questions! What are inside-out attacks! Who will use this

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours Introduction The following lab allows the trainee to obtain a more in depth knowledge of network security and

The Ten Most Important Steps You Can Take to Protect Your Windows-based Servers from Hackers University of California, Riverside Computing and Communications Author: Joel Nylander Document Goal This document

High Speed Internet - User Guide Welcome to your world. 1 Welcome to your world :) Thank you for choosing Cogeco High Speed Internet. Welcome to your new High Speed Internet service. When it comes to a

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses 2004 Microsoft Corporation. All rights reserved. This document is for informational purposes only.

E-BUSINESS THREATS AND SOLUTIONS E-BUSINESS THREATS AND SOLUTIONS E-business has forever revolutionized the way business is done. Retail has now a long way from the days of physical transactions that were

Benefits & Features CBI s Corporate Internet Banking Inquiry Services gives you the ability to view account details and transactions anytime, anywhere. What can I do with Internet Banking? You can inquire

Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context

E-commerce Production Firewalls A Proper Security Design 2006 Philip J. Balsley. This document and all information contained herein is the sole and exclusive property of Philip J. Balsley. All rights reserved.

MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not

What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls

Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2

SMALL BUSINESS NETWORK SECURITY GUIDE WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION AUGUST 2004 SMALL BUSINESS NETWORK SECURITY GUIDE: WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION

A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

8 Steps for Network Security Protection cognoscape.com 8 Steps for Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because

Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

Infocomm Sec rity is incomplete without U Be aware, responsible secure! HACKER Smack that What you can do with these five online security measures... ANTI-VIRUS SCAMS UPDATE FIREWALL PASSWORD [ 2 ] FASTEN

86-10-15 The Self-Hack Audit Stephen James Payoff As organizations continue to link their internal networks to the Internet, system managers and administrators are becoming increasingly aware of the need

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014 Introduction: Cyber attack is an unauthorized access to a computer

Access to information and entertainment, credit and financial services, products from every corner of the world even to your work is greater than ever. Thanks to the Internet, you can conduct your banking,

By James Thomas DTEC 6823 Summer 2004 What is a firewall? Firewalls for small business A firewall is either hardware, software or a combination of both that is used to prevent, block or should I say try

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security White Paper September 2003 Abstract The network security landscape has changed dramatically over the past several years. Until

SERVICE LEVEL AGREEMENT This Service Level Agreement (SLA) is provided by ECS and is intended to define services and responsibilities between ECS and customer. ECS along with contracted 3 rd party partners